Jump to content
Tuts 4 You

A better way to dump .NET assembly packed by a native stub

wwh1004

By wwh1004,
in Reverse Engineering Articles

Followers 2

Recommended Posts

wwh1004

wwh1004 46

Posted
Posted (edited)

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can not understand it, you can reply me.:)

Best wish.

Edited by wwh1004 (see edit history)
  • Like 6
  • Thanks 1
Link to post
BlackHat

BlackHat 70

Posted
Posted

There is a Script of OLLYDBG made by @GIV that also helps to unpack the Anti Dump protected .NET Files and newbie Friendly too.
But this method I tested and works well which you described.
Very nice Explanation too. Thank you !!! 

Link to post
  • 9 months later...
Sangavi

Sangavi 25

Posted
Posted
2 hours ago, john fast said:

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

I believe they charge for giving out the invitation codes (it is not free of cost) as far as I remember.

Link to post
  • 4 months later...
thanhthuanbui0610@gmail.co

thanhthuanbui0610@gmail.co 0

Posted
Posted

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

Link to post
  • 2 weeks later...
tungtruong20xx

tungtruong20xx 0

Posted
Posted
On 8/23/2020 at 2:55 PM, thanhthuanbui0610@gmail.co said:

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

Link to post
  • 2 weeks later...
huynhchicong91

huynhchicong91 0

Posted
Posted
On 9/3/2020 at 11:49 PM, tungtruong20xx said:

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

bạn unpack dc netprotect v1.0 ko ?

Link to post
  • 3 weeks later...
namcuong

namcuong 0

Posted
Posted
On 9/3/2020 at 11:49 PM, tungtruong20xx said:

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

xin file unpack được không bạn

Link to post
  • 1 month later...
goro1988

goro1988 0

Posted
Posted

@wwh1004 Hello brother, my most cordial, affection, would you be so kind, to share the link of your tool, [.NET] AssemblyRebuilder v1.2.2.0 by Wwh, since I did not see it in pan.baidu, and it was removed from github, yes It is not a problem, could you send me a link where to download it

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Followers 2
Go to topic listing
×
×
  • Create New...